WO2021138663A1 - Security protection of association between a user device and a user - Google Patents

Security protection of association between a user device and a user Download PDF

Info

Publication number
WO2021138663A1
WO2021138663A1 PCT/US2021/012066 US2021012066W WO2021138663A1 WO 2021138663 A1 WO2021138663 A1 WO 2021138663A1 US 2021012066 W US2021012066 W US 2021012066W WO 2021138663 A1 WO2021138663 A1 WO 2021138663A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
identifier
user
account owner
computer
Prior art date
Application number
PCT/US2021/012066
Other languages
French (fr)
Inventor
Vinjith Nagaraja
Dhaval GANGAR
Original Assignee
Visa International Service Association
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visa International Service Association filed Critical Visa International Service Association
Priority to EP21736223.5A priority Critical patent/EP4085592A4/en
Publication of WO2021138663A1 publication Critical patent/WO2021138663A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • G06Q20/206Point-of-sale [POS] network systems comprising security or operator identification provisions, e.g. password entry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/107License processing; Key processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/405Establishing or using transaction specific rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules

Definitions

  • a network e.g., a computer, communications, or data network
  • Networks are used extensively throughout the world to connect individuals and organizations to make ecommerce possible.
  • a user or ‘account owner’ may use a computing device, to communicate with another computing device or a computer system of an organization through a communication network operated by various service providers.
  • a service provider may identify the account owner by an addressable identifier, identify a device belonging to a user by a hardware- based network identifier, and may further associate the addressable identifier with the hardware- based network identifier to allow communications to be directed to the account owner.
  • Communications security is the discipline of preventing unauthorized interceptors from accessing a computer system or a communication network, while still delivering content to the intended recipients or account owners. With the widespread use of Internet, ecommerce, and other applications, network or communication security is facing more and more challenges.
  • attackers may attempt to use a computing device to perform account take over (ATO) of an account owner and may result in millions in fraud and losses. It is in the interest of all parties involved to prevent ATO while continuing to limit exposure of the account owners to further potential fraud.
  • ATO account take over
  • Embodiments disclosed herein include a computer- implemented method for preventing account take-over attacks in which a hardware-based network identifier associated with an addressable identifier of an account owner is changed and the addressable identifier is used to gain access to data related to the account owner.
  • the method includes receiving a notification that a hardware-based network identifier associated with an addressable identifier of an account owner has been changed, wherein the notification comprises data for identifying the account owner and does not comprise the hardware-based network identifier.
  • the method further includes updating, in a data store storing a plurality of data records, a data record associated with the account owner identified in the notification to indicate the notified change in the hardware -based network identifier.
  • the method further includes when a request is received from a requesting device operated by a requesting user that requests access to data associated with the account owner based on the requesting user being able to receive communications using the addressable identifier: accessing the data record associated with the account owner in the data store; performing an authentication process based on the data record indicating the notified change in the hardware- based network identifier, wherein the authentication process comprises obtaining, from the requesting user, authentication information; and permitting the requesting user to access the data associated with the account owner if the obtained authentication information satisfies a predetermined criterion.
  • Embodiments disclosed herein include a computer system configured to perform a method described above.
  • Figure 1 illustrates a networked system to prevent account take-over attacks in accordance with various embodiments.
  • Figure 2 illustrates an example method of operating a computer system of Figure 1 in accordance with various embodiments.
  • FIG. 3 illustrates an example device suitable for use to practice various aspects of the present disclosure, in accordance with various embodiments.
  • NTPs attackers, referred to hereafter as ‘non-tmsted parties’ or NTPs, often attempt account take-over (ATO) attacks to obtain access to sensitive or personal information of an account owner held by a computer system.
  • ATO account take-over
  • a hardware-based network identifier associated with an addressable identifier of an account owner is changed and the addressable identifier is subsequently used to gain access to data related to the account owner.
  • the NTP may subsequently change the credentials required to access the accessed data or may transfer it elsewhere to prevent the account owner from regaining access to it.
  • the NTP may also use the personal account to perform financial transactions without the account owner’s knowledge if the personal account holds financial data or to send messages masquerading as the account owner if the personal account is an email account, for example.
  • the NTP performs the ATO by hijacking and using the addressable identifier.
  • the addressable identifier which is generally unique to the account owner, is associated with a changeable hardware-based network identifier by the service provider to direct communications to the account owner.
  • the addressable identifier comprises the phone number of an account owner, which is associated with hardware-based network identifiers in the form of identifiers stored in a SIM card or in a device.
  • This style of attack is commonly known as SIM swapping, SIM scamming, or SIM jacking.
  • Figure 1 illustrates a networked system 100 in which a NTP has hijacked an addressable identifier belonging to an account owner and has associated the addressable identifier with a new hardware-based network identifier.
  • the NTP utilizes a requesting device 101 with their hardware- based network identifier 108.
  • the NTP is depicted as a requesting user 102.
  • the NTP and their device are described as ‘requesting’ users and devices respectively because they request information from a computer system 104. While Figure 1 is specifically related to the situation during an ATO or SIM swapping attack, the requesting user 102 and requesting device 101 may, in other examples, be the account owner who has legitimately changed a previous hardware-based network identifier to a new hardware-based network identifier 108. This situation will be discussed later.
  • the networked system 100 includes a service provider 103, a computer system 104, and the requesting user and device 102, 101.
  • the service provider 103, computer system 104, and requesting device 101 are connected via one or more communication paths 121, 123, 125, 127 over one or more communications networks 131, 133, 135, 137.
  • the communications networks enable communication between the provider 103, system 104, and device 101 and with other systems and devices connected to each network or networks.
  • the communications networks 131, 133, 135, 137 are here depicted separately, this is purely for clarity within Figure 1 and to ensure that the paths and connections between systems and devices is visible.
  • the communications networks 131, 133, 135, 137 may be the same or different communications network, as will be discussed below.
  • At least some of the communications networks 131, 133, 135, 137 are operated and maintained by the service provider 103.
  • the communications networks 131, 133, 135, 137 may be mobile networks and the service provider 103 may be a phone service provider, e.g., AT&T® or Verizon®, or may be wireless internet networks and the service provider 103 may be an internet service provider.
  • the requesting device 101 may be a wireless phone, a cellular phone, a satellite phone, a VoIP phone, a smart phone, a laptop, a tablet, a personal computer, a point of sale (POS) terminal, a transaction terminal, an IoT device, or a handheld computer.
  • the requesting device 101 operates application software 106, which is client-side software of the computer system 104, and is used by the requesting device 101 to communicate with a corresponding application software 107 at the computer system 104 over the communications network 135.
  • the requesting device 101 has an associated hardware -based network identifier.
  • Hardware-based network identifiers identify the requesting device 101 to the service provider 103 when sending communications via the communications networks, and permits communications to be directed to the requesting device 101 by the service provider 103.
  • the hardware-based network identifier may be found on a SIM card, for example.
  • SIM cards may be interchangeable between different user devices.
  • SIM cards store data for identification of the SIM card by the service provider 103 and to allow the service provider 103 to direct the correct information to the correct account owner via their device and SIM card.
  • SIM cards typically include hardware-based network identifiers including an International Mobile Subscriber Identity (IMSI) and an authentication key that validates the IMSI, and an Integrated Circuit Card Identifier (ICCID), and may also include a SIM card issuer identifier, an identifying number for the user account, or parity digits.
  • IMSI International Mobile Subscriber Identity
  • ICCID Integrated Circuit Card Identifier
  • a requesting device 101 may be associated with other hardware-based network identifiers.
  • an Internal Mobile station Equipment Identity (IMEI) of the requesting device is another example of a hardware-based network identifier.
  • IMEI Internal Mobile station Equipment Identity
  • the requesting device To identify the requesting device to other devices and systems, such as the computer system 104, within the networked system 100, the requesting device also has an addressable identifier that is associated with the hardware-based network identifier by the service provider 103.
  • the addressable identifier may, for example, be a phone number, IP address, or email address.
  • the service provider 103 associates addressable identifiers with one or more hardware- based network identifiers such as the IMSI and/or IMEI to track the requesting device 101 and user 102 activity within its communications network.
  • the service provider 103 may change the relationship between the identifiers.
  • the computer system 104 which may be a computer system for an ecommerce merchant or a financial organization, maintains personal accounts accessible by account owners via client-side software, e.g., application software on a smartphone or a website, such as Visa® Checkout®, PayPal®.
  • client-side software e.g., application software on a smartphone or a website, such as Visa® Checkout®, PayPal®.
  • the personal accounts store data, some of which may be sensitive.
  • a financial organization computer system maintains personal accounts in the form of bank accounts for account holders, wherein the sensitive data therein comprises financial information and data for performing financial transactions using funds or credit owned by the account owner.
  • Each computer system 104 may include one or more independent computing devices coupled together to perform different actions and communications with other devices in the networked system 100.
  • the computer system 104 includes one or more processors, e.g., a processor 105, a storage device or data store 110 coupled to the one or more processors, the application software 107, and an authentication module 109.
  • the processor 105 is configured to interact with and operate the application software 107 and authentication module 109.
  • the storage device 110 stores a plurality of data records associated with individual account owners. Each data record may include one or more account owner identifiers and personal information. For example, the account owner identifiers may include the addressable identifier associated with the account owner.
  • the storage device 110 may also store predetermined criteriall3 for use in verifying authentication information received from account owners.
  • the NTP who is here presumed to be the depicted requesting user 102, has access to the addressable identifier and is diverting communications relating to that addressable identifier to their requesting device 101 because the addressable identifier is associated with the NTP hardware-based network identifier 108 by the service provider 103.
  • the identifier 108 may be activated for the requesting user 102 by the service provider 103 through a communication path 121 and a network 131.
  • this path 121 and network 131 are the mobile network, although the activation may be via a wireless or wired internet, depending on the type of device 101, identifier 108, and service provider 103.
  • the service provider 103 replaces stored data relating to a previous hardware -based network identifier with data relating to the new identifier 108 so that communications to the addressable identifier are sent to the NTP device, in this case the requesting device 101, rather than the account owner’s device (not depicted).
  • the NTP When the NTP has gained access to the addressable identifier, it may attempt to perform an ATO with the computer system 104.
  • ATOs against conventional computer systems i.e. those not equipped to perform the method described below, the NTP targets a perceived weakness in those systems where the systems rely on the account owner being able to receive communications at the addressable identifier as proof of identity. That is, that the NTP interrupts the flow of communications to the addressable identifier by swapping the association between the addressable identifier and its hardware-based network identifier.
  • the NTP can subsequently masquerade as the account owner, and can attempt to access sensitive data stored by the systems because the system assumes that the addressable identifier is only associated with the account owner.
  • the attempt to access sensitive data is in the form of submitting a request to reset a password or a request for log in to an account, where the system sends a one-time password or limited-use key to the addressable identifier.
  • aspects of the present disclosure provide a method in which a computer system receives a notification that a hardware -based network identifier associated with an addressable identifier of an account owner has been changed and updates, in a data store storing a plurality of data records, a data record associated with the account owner identified in the notification to indicate the notified change in the hardware -based network identifier.
  • the computer system accesses the data record associated with the account owner in the data store, performs an authentication process based on the data record indicating the notified change in the hardware-based network identifier, and permits the requesting user to access the data associated with the account owner if the authentication process satisfies a predetermined criterion.
  • the notification received by the computing system identifies the owner.
  • the authentication process may be performed by obtaining authentication information from the user and the authentication process may satisfy the predetermined criterion if the authentication information satisfies the predetermined criterion.
  • the computer system is notified of the change in hardware-based network identifier and acts to verify that the change was a legitimate change, thereby protecting the sensitive data stored by the system.
  • NTPs also target non-secure servers and communications of computer systems, in addition to the hardware- based network identifiers and computing devices of account owners, to gain access to data that enables them to change hardware-based network identifiers.
  • the methods and systems act to verify changes in the hardware-based network identifiers
  • the inventors have identified a need to improve security of data relating to account owners, particularly in relation to hardware- based network identifiers, that may be used by NTPs in ATOs.
  • the computer system 104 is configured to operate according to the method 200 depicted in Figure 2. This method makes use of the communication networks and different relationships established between the components of the networked system 100 to implement the improvements discussed in the preceding paragraphs.
  • the service provider 103 is configured, initially, to notify the computer system 104 that the hardware-based network identifier 108 of the requesting device 101 has been activated for the addressable identifier. In other words, the service provider 103 sends a notification to the computer system 104 to alert it to the replacement of the previous hardware-based network identifier with a new hardware-based network identifier in the relationship or association between the addressable identifier and the hardware-based network identifier or identifiers.
  • the notification is received by the computer system 104.
  • the notification from the service provider 103 to the computer system 104 includes data for identifying the account owner to whom the addressable identifier belongs.
  • the service provider 103 generates and dispatches a notification that permits the computer system 104 to identify the account owner or, at the very least, a data record corresponding to the account owner.
  • the notification may include a unique identifier for the account owner such as the addressable identifier.
  • the notification may also include other identifiers for the account owner that are used for communication between the service provider 103 and computer systems 104. For example, a hashed identifier or token may be used.
  • the notification may be encrypted. In a specific example, therefore, the service provider 103 may send a notification to the computer system 104 comprising the phone number of an account owner because a recent device or SIM card change has occurred.
  • the notification consists of the data identifying the account owner. That is that the notification between the service provider 103 and computer system 104, which may be via an internet connection, includes only data identifying the account owner. The computer system 104, on receipt of the notification, may interpret the identified owner has having a recent change in hardware-based network identifier.
  • the data identifying the account owner consists of the addressable identifier.
  • the use of the addressable identifier is particularly beneficial because the addressable identifier is data that cannot be spoofed and will not be spoofed by an NTP, because it is used in the ATO attacks.
  • the account owner can be identified accurately so that the computer system 104 ensures it protects the correct data and account.
  • the notification may indicate the type of change that has been made. For example, if the hardware -based network identifier that has been changed comprises an IMEI, then the service provider 103 may identify in the notification that the IMEI has changed. The computer system 104 may react differently depending upon the change, as described below.
  • the notification includes data identifying the account owner
  • the notification does not include data relating to the hardware -based network identifier.
  • the notification may identify the account owner using any data other than the hardware-based network identifier.
  • no data relating to a SIM card or device identifier or any other hardware-based network identifier is transmitted or received in the notification, regardless of whether there has been a change or not.
  • the method described herein operates to prevent ATO relating to a swapped hardware-based network identifier without exposing or sending the hardware-based network identifier.
  • SIM card data were sent from the service provider 103 to the computer system 104
  • the SIM card data may be used maliciously be a NTP who has access to the computer system 104.
  • preventing the hardware-based network identifier from being sent to the computer system 104 prevents the computer system 104 from using it and potentially exposing it to other NTPs in the event that the change was made legitimately.
  • the notification is received by the computer system 104 at the processor 105 through a communication path 123 and a network 133 between the service provider 103 and the computer system 104.
  • the path 123 and network 133 comprise a wireless communication path such as via the internet or other wireless communication protocol.
  • the processor 105 is configured to update a data record in the storage device 110.
  • the storage device 110 stores a plurality of data records relating to different account owners.
  • the data record is either created as a new record or an existing record corresponding to the account owner is updated based on the data identifying the account owner in the received notification. That is, the processor 105 determines an account owner corresponding to the changed hardware-based network identifier from the notification and updates a data record associated with the determined account owner to reflect the change.
  • the updated record includes an indication of the notified change in hardware-based network identifier.
  • this indication is labelled with reference numeral 111 and is referred to as ‘flagged phone number’.
  • the indication may be implemented by changing one of a plurality of flags or adjusting an authentication criterion of the account owner.
  • the service provider 103 is configured to include an indication of the type of change in the notification
  • the data record may incorporate different flags corresponding to different types of change, or may assign a different authentication criterion to each type of change.
  • the authentication criteria may be arranged into different levels indicating the amount, type, and/or quality of authentication information required at that level, with each type of change raising the level by a predetermined number of levels.
  • the computer system 104 may receive a request for access to data associated with the account owner, as indicated at step 206 of the method 200.
  • This request is received from a requesting device 101 operated by a requesting user 102.
  • the requesting user 102 may be a NTP or the account owner.
  • the requesting user 102 is an NTP.
  • the request to the computer system requests access to data associated with the account owner based on the requesting user 102 being able to receive communications to the addressable identifier that is associated with the account owner.
  • the requesting user 102 uses the requesting device 101 to indicate to the computer system 104 that they are in control of the addressable identifier and therefore should be granted access based on the addressable identifier belonging to the account owner.
  • this system is targeted by NTPs masquerading as the account owner because computer systems often send one-time passwords or other limited-use keys to addressable identifiers such as phone numbers to verify the identity of the requesting user.
  • addressable identifier of the account owner cannot be trusted to verify the identity. Therefore, in response to receiving the request 206, the computer system 104 is configured to perform steps 208, 210, and 212 of the method 200.
  • the request is sent to the computer system 104 from the requesting device 101.
  • the requesting device 101 may send the request through the application software 106 operated on the requesting device 101 and along a communication path 125 and a network 135 between the requesting device 101 and the computer system 104 to the application software 107 of the computer system 104.
  • the communication path 125 and network 135 is via the internet over the network operated by the service provider 103 or over another network to which the device is connected.
  • the computer system 104 receives the request from the device 101 through the communication path 125 between the device 101 and the computer system 104.
  • the request may be received by the application software 107 operated by the processor 105.
  • the computer system 104 accesses the storage device 110 associated with the account owner whose data is being requested.
  • the purpose of the check is to check the data record corresponding to the request for any indications of recent changes in hardware-based network identifiers.
  • the check may be performed by an authentication module 109 operated by the processor 105. Typically, this may involve checking details sent with the request such as log in credentials including a username to determine the account owner to which the request relates.
  • the authentication process may be referred to as a first authentication process to distinguish from other authentication processes, i.e. second or further authentication processes, that occur when the check of the data record does not reveal a recent change.
  • second or further authentication processes that occur when the check of the data record does not reveal a recent change.
  • the first authentication process comprises obtaining, from the requesting user 101, authentication information.
  • the authentication information is requested to verify that the requesting user 101 is the account owner.
  • the authentication information may comprise data unrelated to the addressable identifier associated with the account owner because, as has already been noted, the computer system 104 does not know whether this information has been compromised or not.
  • the computer system 104 may be unsure of the status of the requesting device 102, requesting user 101, and addressable identifier associated with the hardware-based network identifier 108, it is still possible to interact with the requesting user 101 using a communication path 127 and network 137 to the device 102 or addressable identifier because the authentication information requested is information for verifying or proving that the requesting user 101 is the account owner. In other words, by requesting specifically personal information that only an account owner would know from the requesting user 101, the computer system 104 can prevent ATO. This is a particularly useful means of determining the identity of the requesting user 101 because there is no further exposure of account details or information to an NTP.
  • the computer system 104 in this example utilizes only the account owner data it has in order to directly challenge a requesting user 101.
  • the first authentication process may be performed via another device or addressable identifier associated with the account owner, such as a laptop and email address for example if the requesting device is a phone and the addressable identifier is a phone number.
  • the authentication information may still include authentication information specific to the account owner to distinguish the account owner from an NTP.
  • the requesting user is permitted to access the data associated with the account owner as requested. For example, if the request was a login request, the user may be permitted to login, or if the request was to reset a forgotten password, the requesting user may be permitted to reset the password for the account.
  • the requested data may itself comprise a request for a one-time password or a limited use key to be sent to the addressable identifier.
  • the computer system 104 is configured to send the one-time password as requested.
  • the computer system 104 may receive a login request and may be configured to send a one-time password together with a request for further authentication information.
  • the authentication information may comprise the one-time password and another form of authentication information.
  • the authentication information obtained or requested comprises biometric data.
  • the requesting user 102 may provide the requested biometric data via the requesting device 101, which may include, for example, a fingerprint scanner or a camera and facial recognition software. If the biometric data matches biometric data for the account owner held by the computer system, the predetermined authentication criterion is satisfied and the request is permitted. The user 102 is confirmed as the account owner and the request for information is granted.
  • the biometric data request is typically sent via the internet, and may generally be performed through the application software 106 or a separate application for biometric measurement.
  • the authentication information comprises knowledge that an NTP will not know.
  • the knowledge may comprise digits from a personal identification number or confirmation of recent transactions and amounts.
  • This step may be performed via the application software 106, via SMS message over the telephone network, or through a phone call with a customer support operator or automated call handler.
  • the criterion in this example is satisfied if the requesting user 102 answers or provides information requested.
  • the digits obtained may satisfy the criterion if they exactly match the requested digits.
  • the requesting user 102 may be requested to provide a photo of themselves with an identifying piece of information as the authentication information.
  • Other data that confirms their identity and distinguishes them from an NTP may also be used.
  • the first authentication process is performed where a change is indicated in the database.
  • a second authentication process may be performed if there is no change indicated.
  • the second authentication process may comprise obtaining, from the requesting user, second or further authentication information and permitting the request if a second or further authentication criterion is satisfied.
  • the requirement for the second authentication information or for the second authentication criterion to be satisfied is lower.
  • the first authentication process may be stricter or require more authentication information than the second authentication process.
  • user credentials and a one-time password may be sufficient to satisfy the second authentication criteria, whereas additional authentication information in the form of biometric data may be required by the first authentication process to satisfy its criteria.
  • the second authentication process may also be performed after the first authentication process has been passed for further or future requests for access.
  • the first and second authentication process may be defined based on the authentication criterion associated with each process.
  • a first authentication process may have a first authentication criterion or criteria associated with it
  • the second authentication process may have a second authentication criterion or criteria associated with it.
  • the level associated with an account owner may also change over time or upon receipt of suitable authentication information that fulfils the required criteria.
  • the authentication criteria may reduce the criteria to level two for subsequent interactions and requests.
  • the authentication criteria may reduce to level two if a predetermined amount of time has elapsed between the notification of the change and the request or current time.
  • Authentication criterion may be satisfied by the amount of authentication information provided, the type of authentication information provided, and/or the quality of authentication information provided. For example, a single piece of biometric data may be considered to satisfy more secure authentication criteria than individual pieces of less secure and more easily spoofed or guessed pieces of personal data such as password, date of birth, and first pet name. As another example, a high-quality picture of the account owner with matching identification may be considered to satisfy higher authentication criteria than a low-quality picture.
  • the authentication criteria may implement further security protocols such as a limit on a number of requests for information associated with the addressable identifier that may be sent or a restriction on providers of the requesting devices. For example, if a plurality of requests are received in short succession, this may be viewed as a potentially suspicious action and the authentication module 109 may be configured to change the authentication criteria to reflect this.
  • the authentication module 109 may be configured to update the data record for the account owner in the data store 110 to reflect this. The account of the account owner may then be locked for access until further verification is performed. This further verification may be more secure than that involved in the first authentication process, requiring more authentication information, to ensure that only the account owner is able to access the personal account.
  • the computer system 104 may be configured to conclude that the change in hardware-based network identifier was not performed by the account owner, and that the requesting user 102 attempting to gain access to the account via requesting device 101 is likely to be an NTP. In some embodiments, the computer system 104 may be configured to alert the service provider 103 that the requesting user 102 could not be verified as the account owner.
  • the computer system 104 may conclude that the requesting user 102 is the account owner and that the change in hardware -based network identifier was legitimate.
  • the communication path 127 may be different from the communication path 125.
  • the communication path 127 may include a computing device accessible to the account owner, but different from the device 101.
  • the communication path 127 may include the same device 101, but through a software application operated on the device 101 that is different from the application software 106.
  • the communication path 127 may include additional steps to be operated by the application software 106 or the application software 107.
  • NTP may use a fake SIM card 108 of the device 101, but may be difficult to have access to a different communication path directly to the account owner, thereby adding a further layer of complexity that a NTP has to overcome to gain access.
  • the use of three communication paths 123, 125, 127 are a specific implementation on a particular machine architecture to integrate the security protection of association between the user device 101 and the user 102 or the user identifier 111. Furthermore, the use of three communication paths represents a specific feature that is not available in the current systems to prevent SIM swapping. For example, the use of the communication path 127 between the requesting user 102 and the computer system 104 can effectively verify whether the hardware- based network identifier 108 of the requesting device 101 has been activated by the account owner or by a NTP, while a conventional computer system cannot perform such a detection.
  • a common ledger or a common database to which service providers and/or computer systems contribute data relating to users.
  • the service providers and/or computer systems may contribute to a chained ledger of addressable identifier to hardware-based network identifier mappings over time.
  • the read/write API keys for the common database are provided only to service providers so only they can update the account owner information.
  • Computer systems may subsequently read data from this ledger or database with API keys of they own when determining how to respond to login requests.
  • the shared ledger or database provides an efficient proof-based system to track, e.g., SIM cards to phone numbers.
  • the shared ledger or database also provides a global log for cybercrime investigations and does not allow conflicts in phone-SIM mapping as there can only be one-to-one phone-to-SIM mapping at any point in time.
  • the common database is provided in addition to or as an alternative to the user accounts records held by the computer system against which the indication or flag is raised in response to determining a change in SIM card.
  • Figure 3 illustrates an example device suitable for use to practice various aspects of the present disclosure, in accordance with various embodiments. While Figure 3 illustrates various components of a computer system, it is not intended to represent any particular architecture or manner of interconnecting the components. One embodiment may use other systems that have fewer or more components than those shown in Figure 3.
  • the data processing system 370 includes an inter-connect 371, e.g., bus and system core logic, which interconnects a microprocessor(s) 373, memory 367, and input/output (I/O) device(s) 375 via I/O controller(s) 377.
  • the microprocessor 373 is coupled to cache memory 379.
  • I/O devices 375 may include a display device and/or peripheral devices, such as mice, keyboards, modems, network interfaces, printers, scanners, video cameras and other devices known in the art. In one embodiment, when the data processing system is a server system, some of the I/O devices 375, such as printers, scanners, mice, and/or keyboards, are optional.
  • the inter-connect 371 includes one or more buses connected to one another through various bridges, controllers and/or adapters.
  • the I/O controllers 377 include a USB (Universal Serial Bus) adapter for controlling USB peripherals, and/or an IEEE-1394 bus adapter for controlling IEEE-1394 peripherals.
  • USB Universal Serial Bus
  • IEEE-1394 IEEE-1394
  • the memory 367 includes one or more of: ROM (Read Only Memory), volatile RAM (Random Access Memory), and non-volatile memory, such as hard drive, flash memory, etc.
  • Volatile RAM is typically implemented as dynamic RAM (DRAM), which requires power continually in order to refresh or maintain the data in the memory.
  • Non-volatile memory is typically a magnetic hard drive, a magnetic optical drive, an optical drive (e.g., a DVD RAM), or other type of memory system which maintains data even after power is removed from the system.
  • the non-volatile memory may also be a random access memory.
  • the non-volatile memory can be a local device coupled directly to the rest of the components in the data processing system.
  • a non-volatile memory that is remote from the system such as a network storage device coupled to the data processing system through a network interface such as a modem or Ethernet interface, can also be used.
  • the functions and operations as described here can be implemented using special purpose circuitry, with or without software instructions, such as using Application-Specific Integrated Circuit (ASIC) or Field-Programmable Gate Array (FPGA).
  • ASIC Application-Specific Integrated Circuit
  • FPGA Field-Programmable Gate Array
  • Embodiments can be implemented using hardwired circuitry without software instructions, or in combination with software instructions. Thus, the techniques are limited neither to any specific combination of hardware circuitry and software, nor to any particular source for the instructions executed by the data processing system.
  • a storage medium may store instructions for practicing methods described with references to Figures 1-2, in accordance with various embodiments.
  • a non-transitory computer-readable storage medium may include a number of programming instructions.
  • Programming instructions may be configured to enable a device, e.g., the device 370, in response to execution of the programming instructions, to perform, e.g., various operations associated with performing security protection of association between the requesting device 101 and the requesting user 102, verifying the hardware-based network identifier 108 of the requesting device 101 has been activated by the requesting user 102 to replace an existing identifier of the requesting device 101 associated with the addressable identifier, operations described in the process 200, or other operations described herein.
  • Routines executed to implement the embodiments may be implemented as part of an operating system or a specific application, component, program, object, module or sequence of instructions referred to as “computer programs.”
  • the computer programs typically include one or more instructions set at various times in various memory and storage devices in a computer, and that, when read and executed by one or more processors in a computer, cause the computer to perform operations necessary to execute elements involving the various aspects.
  • the non-transitory computer-readable storage medium can be used to store software and data which when executed by a data processing system causes the system to perform various methods.
  • the executable software and data may be stored in various places including for example ROM, volatile RAM, non-volatile memory and/or cache. Portions of this software and/or data may be stored in any one of these storage devices.
  • the data and instructions can be obtained from centralized servers or peer to peer networks. Different portions of the data and instructions can be obtained from different centralized servers and/or peer to peer networks at different times and in different communication sessions or in a same communication session.
  • the data and instructions can be obtained in entirety prior to the execution of the applications. Alternatively, portions of the data and instructions can be obtained dynamically, just in time, when needed for execution. Thus, it is not required that the data and instructions be on a machine readable medium in entirety at a particular instance of time.
  • Examples of computer-readable media include but are not limited to recordable and non-recordable type media such as volatile and non-volatile memory devices, read only memory (ROM), random access memory (RAM), flash memory devices, floppy and other removable disks, magnetic disk storage media, optical storage media (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks (DVDs), etc.), among others.
  • the computer-readable media may store the instructions.
  • the instructions may also be embodied in digital and analog communication links for electrical, optical, acoustical or other forms of propagated signals, such as carrier waves, infrared signals, digital signals, etc.
  • propagated signals such as carrier waves, infrared signals, digital signals, etc. are not tangible machine readable medium and are not configured to store instructions.
  • a machine readable medium includes any mechanism that provides (i.e., stores and/or transmits) information in a form accessible by a machine (e.g., a computer, network device, personal digital assistant, manufacturing tool, any device with a set of one or more processors, etc.).
  • a machine e.g., a computer, network device, personal digital assistant, manufacturing tool, any device with a set of one or more processors, etc.
  • hardwired circuitry may be used in combination with software instructions to implement the techniques.
  • the techniques are neither limited to any specific combination of hardware circuitry and software nor to any particular source for the instructions executed by the data processing system.
  • a computer-implemented method for communication comprising: receiving, by a processor of a computing system, from a service provider through a first communication path between the service provider and the computing system, a notification that an identifier of a user device has been activated in the user device to be associated with a user identifier to replace an existing identifier of the user device associated with the user identifier, wherein the identifier of the user device is a hardware based network identifier of the user device, and the user identifier is to identify a user by the service provider; storing, in a storage device coupled to the processor, the user identifier of the user to indicate that the existing identifier of the user device associated with the user identifier has been changed; receiving, by the processor, from the user device through a second communication path between the user device and the computing system, a request for information associated with the user identifier to be sent to the user device associated with the identifier of the user device; searching
  • Verifying the identifier of the user device has been activated by the user by the additional authentication of the user may include: sending, to the user through the third communication path between the user and the computing system, a request for authentication information different from the user identifier of the user; receiving, from the user, a response message to the request for authentication information; and authenticating the user based on the response message and a set of rules.
  • the computer-implemented method may further comprise: sending, to the user device associated with the identifier of the user device through the second communication path, after verifying the identifier of the user device has been activated by the user is successful, the requested information associated with the user identifier.
  • the computer-implemented method may further comprise: updating the storage to associate the identifier of the user device with the user identifier.
  • the request for information associated with the user identifier to be sent to the user device may include a request for one time password (OTP) for the user.
  • OTP one time password
  • the request for information associated with the user identifier to be sent to the user device may be received through an application software operating on the user device.
  • the information associated with the user identifier may be for operating the application software by the user.
  • the identifier of the user device may include an identifier for a subscriber identity module (SIM) card, or a media access control (MAC) address of the user device.
  • SIM subscriber identity module
  • MAC media access control
  • the user device may include a wireless phone, a cellular phone, a satellite phone, a VoIP phone, a smart phone, a laptop, a tablet, a personal computer, a point of sale (POS) terminal, a transaction terminal, or a handheld computer.
  • a wireless phone a cellular phone, a satellite phone, a VoIP phone, a smart phone, a laptop, a tablet, a personal computer, a point of sale (POS) terminal, a transaction terminal, or a handheld computer.
  • POS point of sale
  • the service provider may include a phone service provider or an internet service provider, and the user identifier includes a phone number or an email address.
  • Sending to the user the request for authentication information different from the user identifier of the user may include sending the request to the user through the third communication path that is different from the second communication path.
  • the authentication information may include information the user knows, information the user has, information about what the user is, information about where the user is, or information about what the user does.
  • the set of rules for authenticating the user based on the response message may include a rule about a limit on a number of requests for information associated with the user identifier to be sent to the user device associated with the identifier of the user device, a rule about a limit on a number of identifiers of user devices associated with the user identifier, a rule about a limit on a number of user identifiers associated with the identifier of the user device, a rule about a restriction on providers of the user devices, or a rule providing an authentication scheme corresponding to the identifier of the user device.
  • a computing system comprising: one or more processors, wherein the one or more processors are configured to receive from a service provider through a first communication path between the service provider and the computing system, a notification that an identifier of a user device has been activated in the user device to be associated with a user identifier to replace an existing identifier of the user device associated with the user identifier, wherein the identifier of the user device is a hardware based network identifier of the user device, and the user identifier is to identify a user by the service provider; a storage device coupled to the one or more processors, wherein the storage device is configured to store the user identifier of the user to indicate that the existing identifier of the user device associated with the user identifier has been changed; an application software to be operated by the one or more processors, wherein the application software is to receive from the user device through a second communication path between the user device and the computing system, a request for information associated with the
  • the application software may further to send, to the user device associated with the identifier of the user device through the second communication path, after authenticating the user based on the response message is successful, the requested information associated with the user identifier.
  • the authentication module may further to update the storage to associate the identifier of the user device with the user identifier.
  • the third communication path may be different from the second communication path.
  • the request for information associated with the user identifier to be sent to the user device may include a request for one time password (OTP) for the user.
  • OTP one time password
  • a executable software product stored on a non-transitory computer-readable medium containing program instructions that cause a processor of a computing system, in response to execution of the instructions by the processor, to: receive, from a service provider through a first communication path between the service provider and the computing system, a notification that an identifier of a user device has been activated in the user device to be associated with a user identifier to replace an existing identifier of the user device associated with the user identifier, wherein the identifier of the user device is a hardware based network identifier of the user device, and the user identifier is to identify a user by the service provider; store, in a storage device coupled to the processor, the user identifier of the user to indicate that the existing identifier of the user device associated with the user identifier has been changed; receive, by the processor, from the user device through a second communication path between the user device and the computing system, a request for information associated with the user identifie
  • the program instructions may further cause the processor to: send, to the user device associated with the identifier of the user device through the second communication path, after authenticating the user based on the response message is successful, the requested information associated with the user identifier; and update the storage to associate the identifier of the user device with the user identifier.
  • the third communication path may be different from the second communication path.
  • the request for information associated with the user identifier to be sent to the user device may include a request for one time password (OTP) for the user.
  • OTP one time password

Abstract

Embodiments include apparatuses, methods, and systems for performing security protection of association between a user device and a user. A method for preventing account take-over attacks comprises receiving a notification that a hardware-based network identifier associated with an addressable identifier has been changed. The notification does not comprise data relating to the hardware-based network identifier. The method further comprises, when a request is received for access to data from a requesting device related to the addressable identifier, accessing a data record, performing an authentication process, based on the data record and permitting the request if obtained authentication information from the authentication process satisfies a predetermined criterion.

Description

SECURITY PROTECTION OF ASSOCIATION BETWEEN A USER DEVICE
AND A USER
BACKGROUND OF THE INVENTION
[001] A network, e.g., a computer, communications, or data network, includes a collection of components, e.g., terminal nodes or computing devices, computer systems, also referred to as computing systems, that are formed from a group of computing devices, switches, routers, connected by links to enable communication between the terminals, computing devices or systems. Networks are used extensively throughout the world to connect individuals and organizations to make ecommerce possible. A user or ‘account owner’ may use a computing device, to communicate with another computing device or a computer system of an organization through a communication network operated by various service providers. A service provider may identify the account owner by an addressable identifier, identify a device belonging to a user by a hardware- based network identifier, and may further associate the addressable identifier with the hardware- based network identifier to allow communications to be directed to the account owner. Communications security is the discipline of preventing unauthorized interceptors from accessing a computer system or a communication network, while still delivering content to the intended recipients or account owners. With the widespread use of Internet, ecommerce, and other applications, network or communication security is facing more and more challenges.
[002] For example, attackers, referred to hereafter as ‘non-tmsted parties’ or NTPs, may attempt to use a computing device to perform account take over (ATO) of an account owner and may result in millions in fraud and losses. It is in the interest of all parties involved to prevent ATO while continuing to limit exposure of the account owners to further potential fraud.
SUMMARY
[003] Embodiments disclosed herein include a computer- implemented method for preventing account take-over attacks in which a hardware-based network identifier associated with an addressable identifier of an account owner is changed and the addressable identifier is used to gain access to data related to the account owner. The method includes receiving a notification that a hardware-based network identifier associated with an addressable identifier of an account owner has been changed, wherein the notification comprises data for identifying the account owner and does not comprise the hardware-based network identifier. The method further includes updating, in a data store storing a plurality of data records, a data record associated with the account owner identified in the notification to indicate the notified change in the hardware -based network identifier. The method further includes when a request is received from a requesting device operated by a requesting user that requests access to data associated with the account owner based on the requesting user being able to receive communications using the addressable identifier: accessing the data record associated with the account owner in the data store; performing an authentication process based on the data record indicating the notified change in the hardware- based network identifier, wherein the authentication process comprises obtaining, from the requesting user, authentication information; and permitting the requesting user to access the data associated with the account owner if the obtained authentication information satisfies a predetermined criterion.
[004] Embodiments disclosed herein include a computer system configured to perform a method described above.
BRIEF DESCRIPTION OF THE DRAWINGS [005] Embodiments will be readily understood by the following detailed description in conjunction with the accompanying drawings. To facilitate this description, like reference numerals designate like structural elements. Embodiments are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings.
[006] Figure 1 illustrates a networked system to prevent account take-over attacks in accordance with various embodiments.
[007] Figure 2 illustrates an example method of operating a computer system of Figure 1 in accordance with various embodiments.
[008] Figure 3 illustrates an example device suitable for use to practice various aspects of the present disclosure, in accordance with various embodiments.
DETAILED DESCRIPTION
[009] The following description is presented to enable one of ordinary skill in the art to make and use the embodiments and is provided in the context of a patent application and its requirements. Various modifications to the exemplary embodiments and the generic principles and features described herein will be readily apparent. The exemplary embodiments are mainly described in terms of particular methods and systems provided in particular implementations. However, the methods and systems will operate effectively in other implementations. Phrases such as "exemplary embodiment", "one embodiment" and "another embodiment" may refer to the same or different embodiments. The embodiments will be described with respect to systems and/or devices having certain components. However, the systems and/or devices may include more or less components than those shown, and variations in the arrangement and type of the components may be made without departing from the scope of the current disclosure. Various embodiments will also be described in the context of particular methods having certain steps. However, the method and system operate effectively for other methods having different and/or additional steps and steps in different orders that are not inconsistent with the presented embodiments. Thus, the current disclosure is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features described herein.
[010] Attackers, referred to hereafter as ‘non-tmsted parties’ or NTPs, often attempt account take-over (ATO) attacks to obtain access to sensitive or personal information of an account owner held by a computer system. In ATO, a hardware-based network identifier associated with an addressable identifier of an account owner is changed and the addressable identifier is subsequently used to gain access to data related to the account owner. The NTP may subsequently change the credentials required to access the accessed data or may transfer it elsewhere to prevent the account owner from regaining access to it. The NTP may also use the personal account to perform financial transactions without the account owner’s knowledge if the personal account holds financial data or to send messages masquerading as the account owner if the personal account is an email account, for example.
[Oil] The NTP performs the ATO by hijacking and using the addressable identifier. The addressable identifier, which is generally unique to the account owner, is associated with a changeable hardware-based network identifier by the service provider to direct communications to the account owner.
[012] In a specific example, the addressable identifier comprises the phone number of an account owner, which is associated with hardware-based network identifiers in the form of identifiers stored in a SIM card or in a device. This style of attack is commonly known as SIM swapping, SIM scamming, or SIM jacking. [013] Figure 1 illustrates a networked system 100 in which a NTP has hijacked an addressable identifier belonging to an account owner and has associated the addressable identifier with a new hardware-based network identifier. The NTP utilizes a requesting device 101 with their hardware- based network identifier 108. The NTP is depicted as a requesting user 102. The NTP and their device are described as ‘requesting’ users and devices respectively because they request information from a computer system 104. While Figure 1 is specifically related to the situation during an ATO or SIM swapping attack, the requesting user 102 and requesting device 101 may, in other examples, be the account owner who has legitimately changed a previous hardware-based network identifier to a new hardware-based network identifier 108. This situation will be discussed later.
[014] The networked system 100 includes a service provider 103, a computer system 104, and the requesting user and device 102, 101. The service provider 103, computer system 104, and requesting device 101 are connected via one or more communication paths 121, 123, 125, 127 over one or more communications networks 131, 133, 135, 137. The communications networks enable communication between the provider 103, system 104, and device 101 and with other systems and devices connected to each network or networks. Although the communications networks 131, 133, 135, 137 are here depicted separately, this is purely for clarity within Figure 1 and to ensure that the paths and connections between systems and devices is visible. The communications networks 131, 133, 135, 137 may be the same or different communications network, as will be discussed below.
[015] At least some of the communications networks 131, 133, 135, 137 are operated and maintained by the service provider 103. The communications networks 131, 133, 135, 137 may be mobile networks and the service provider 103 may be a phone service provider, e.g., AT&T® or Verizon®, or may be wireless internet networks and the service provider 103 may be an internet service provider.
[016] The requesting device 101 may be a wireless phone, a cellular phone, a satellite phone, a VoIP phone, a smart phone, a laptop, a tablet, a personal computer, a point of sale (POS) terminal, a transaction terminal, an IoT device, or a handheld computer. The requesting device 101 operates application software 106, which is client-side software of the computer system 104, and is used by the requesting device 101 to communicate with a corresponding application software 107 at the computer system 104 over the communications network 135.
[017] To send communications and interact with other elements of the networked system 100, the requesting device 101 has an associated hardware -based network identifier. Hardware-based network identifiers identify the requesting device 101 to the service provider 103 when sending communications via the communications networks, and permits communications to be directed to the requesting device 101 by the service provider 103.
[018] The hardware-based network identifier may be found on a SIM card, for example. SIM cards may be interchangeable between different user devices. SIM cards store data for identification of the SIM card by the service provider 103 and to allow the service provider 103 to direct the correct information to the correct account owner via their device and SIM card. For example, SIM cards typically include hardware-based network identifiers including an International Mobile Subscriber Identity (IMSI) and an authentication key that validates the IMSI, and an Integrated Circuit Card Identifier (ICCID), and may also include a SIM card issuer identifier, an identifying number for the user account, or parity digits.
[019] Although only SIM card identifiers are discussed above, a requesting device 101 may be associated with other hardware-based network identifiers. For example, an Internal Mobile station Equipment Identity (IMEI) of the requesting device is another example of a hardware-based network identifier.
[020] To identify the requesting device to other devices and systems, such as the computer system 104, within the networked system 100, the requesting device also has an addressable identifier that is associated with the hardware-based network identifier by the service provider 103. The addressable identifier may, for example, be a phone number, IP address, or email address. [021] The service provider 103 associates addressable identifiers with one or more hardware- based network identifiers such as the IMSI and/or IMEI to track the requesting device 101 and user 102 activity within its communications network. The service provider 103 may change the relationship between the identifiers.
[022] The computer system 104, which may be a computer system for an ecommerce merchant or a financial organization, maintains personal accounts accessible by account owners via client-side software, e.g., application software on a smartphone or a website, such as Visa® Checkout®, PayPal®. The personal accounts store data, some of which may be sensitive. For example, a financial organization computer system maintains personal accounts in the form of bank accounts for account holders, wherein the sensitive data therein comprises financial information and data for performing financial transactions using funds or credit owned by the account owner. Each computer system 104 may include one or more independent computing devices coupled together to perform different actions and communications with other devices in the networked system 100.
[023] The computer system 104 includes one or more processors, e.g., a processor 105, a storage device or data store 110 coupled to the one or more processors, the application software 107, and an authentication module 109. The processor 105 is configured to interact with and operate the application software 107 and authentication module 109. The storage device 110 stores a plurality of data records associated with individual account owners. Each data record may include one or more account owner identifiers and personal information. For example, the account owner identifiers may include the addressable identifier associated with the account owner. The storage device 110 may also store predetermined criteriall3 for use in verifying authentication information received from account owners. There may be many other components within the user device 101 or the computer system 104, not shown. For example, as would be familiar to the skilled person, there may be more than one processor operating within the requesting device 101, and there may be other modules, APIs, or servers operating within the computer system 104 that are not shown here to ensure clarity of the Figures.
[024] During an ATO attack, the NTP, who is here presumed to be the depicted requesting user 102, has access to the addressable identifier and is diverting communications relating to that addressable identifier to their requesting device 101 because the addressable identifier is associated with the NTP hardware-based network identifier 108 by the service provider 103. To permit association, the identifier 108 may be activated for the requesting user 102 by the service provider 103 through a communication path 121 and a network 131. Typically, this path 121 and network 131 are the mobile network, although the activation may be via a wireless or wired internet, depending on the type of device 101, identifier 108, and service provider 103. By activating the hardware-based network identifier 108, it is meant that the service provider 103 replaces stored data relating to a previous hardware -based network identifier with data relating to the new identifier 108 so that communications to the addressable identifier are sent to the NTP device, in this case the requesting device 101, rather than the account owner’s device (not depicted).
[025] When the NTP has gained access to the addressable identifier, it may attempt to perform an ATO with the computer system 104. In ATOs against conventional computer systems, i.e. those not equipped to perform the method described below, the NTP targets a perceived weakness in those systems where the systems rely on the account owner being able to receive communications at the addressable identifier as proof of identity. That is, that the NTP interrupts the flow of communications to the addressable identifier by swapping the association between the addressable identifier and its hardware-based network identifier. The NTP can subsequently masquerade as the account owner, and can attempt to access sensitive data stored by the systems because the system assumes that the addressable identifier is only associated with the account owner. Usually the attempt to access sensitive data is in the form of submitting a request to reset a password or a request for log in to an account, where the system sends a one-time password or limited-use key to the addressable identifier.
[026] In attempting to counteract ATOs arising from NTPs impersonating an account owner by associating a new hardware-based network identifier, the inventors have developed a process performed by computer system 104 that will be described below in relation to Figure 2. The process, methods, and systems described herein for protecting against or preventing ATOs dynamically changes the authentication processes of the computer system in response to the change in the hardware-based network identifier and its association with the addressable identifier. In actively implementing a more stringent authentication process where an ATO is expected, the security of an account owner’s sensitive data is improved.
[027] Thus, in general, aspects of the present disclosure provide a method in which a computer system receives a notification that a hardware -based network identifier associated with an addressable identifier of an account owner has been changed and updates, in a data store storing a plurality of data records, a data record associated with the account owner identified in the notification to indicate the notified change in the hardware -based network identifier. When a request is received from a requesting device operated by a requesting user that requests access to data associated with the account owner based on the requesting user being able to receive communications using the addressable identifier, the computer system accesses the data record associated with the account owner in the data store, performs an authentication process based on the data record indicating the notified change in the hardware-based network identifier, and permits the requesting user to access the data associated with the account owner if the authentication process satisfies a predetermined criterion. The notification received by the computing system identifies the owner. The authentication process may be performed by obtaining authentication information from the user and the authentication process may satisfy the predetermined criterion if the authentication information satisfies the predetermined criterion. [028] In the above method, the computer system is notified of the change in hardware-based network identifier and acts to verify that the change was a legitimate change, thereby protecting the sensitive data stored by the system. However, the inventors have also identified that NTPs also target non-secure servers and communications of computer systems, in addition to the hardware- based network identifiers and computing devices of account owners, to gain access to data that enables them to change hardware-based network identifiers. Thus, while the methods and systems act to verify changes in the hardware-based network identifiers, the inventors have identified a need to improve security of data relating to account owners, particularly in relation to hardware- based network identifiers, that may be used by NTPs in ATOs. While there are many ways of improving security of data, in the above method the inventors have leveraged the surprising realization that removing data relating to the hardware-based network identifier from the notification received by the computer system improves the security of account owner data and acts to prevent further ATOs. The lack of data relating to hardware-based network identifier information when attempting to prevent attacks based on the hardware-based network identifier changing may seem counter-intuitive at first, but enables a higher level of protection with a lower level of exposure of sensitive information. When combined with the dynamic authentication process, SIM swapping and other ATO attacks are prevented in at least two ways.
[029] Returning to the Figures, the computer system 104 is configured to operate according to the method 200 depicted in Figure 2. This method makes use of the communication networks and different relationships established between the components of the networked system 100 to implement the improvements discussed in the preceding paragraphs.
[030] Now considering Figures 1 and 2, the service provider 103 is configured, initially, to notify the computer system 104 that the hardware-based network identifier 108 of the requesting device 101 has been activated for the addressable identifier. In other words, the service provider 103 sends a notification to the computer system 104 to alert it to the replacement of the previous hardware-based network identifier with a new hardware-based network identifier in the relationship or association between the addressable identifier and the hardware-based network identifier or identifiers.
[031] At step 202 of the method 200, the notification is received by the computer system 104. The notification from the service provider 103 to the computer system 104 includes data for identifying the account owner to whom the addressable identifier belongs. In other words, the service provider 103 generates and dispatches a notification that permits the computer system 104 to identify the account owner or, at the very least, a data record corresponding to the account owner.
[032] For example, the notification may include a unique identifier for the account owner such as the addressable identifier. The notification may also include other identifiers for the account owner that are used for communication between the service provider 103 and computer systems 104. For example, a hashed identifier or token may be used. The notification may be encrypted. In a specific example, therefore, the service provider 103 may send a notification to the computer system 104 comprising the phone number of an account owner because a recent device or SIM card change has occurred.
[033] In some examples, the notification consists of the data identifying the account owner. That is that the notification between the service provider 103 and computer system 104, which may be via an internet connection, includes only data identifying the account owner. The computer system 104, on receipt of the notification, may interpret the identified owner has having a recent change in hardware-based network identifier. In some examples, the data identifying the account owner consists of the addressable identifier. In examples where the notification includes the addressable identifier, the use of the addressable identifier, either alone or in combination with other data, is particularly beneficial because the addressable identifier is data that cannot be spoofed and will not be spoofed by an NTP, because it is used in the ATO attacks. Therefore, by sending a notification that particularly includes the addressable identifier, the account owner can be identified accurately so that the computer system 104 ensures it protects the correct data and account. [034] In some examples, the notification may indicate the type of change that has been made. For example, if the hardware -based network identifier that has been changed comprises an IMEI, then the service provider 103 may identify in the notification that the IMEI has changed. The computer system 104 may react differently depending upon the change, as described below.
[035] While the notification includes data identifying the account owner, the notification does not include data relating to the hardware -based network identifier. In other words, the notification may identify the account owner using any data other than the hardware-based network identifier. In some examples, no data relating to a SIM card or device identifier or any other hardware-based network identifier is transmitted or received in the notification, regardless of whether there has been a change or not.
[036] As already discussed, this is a particularly important feature for preserving data integrity and security within the system. While it is a useful aim to prevent ATO and other similar attacks and frauds, the inventors have realized that transferring sensitive and personal data such as SIM card data across a communications network may inadvertently expose the user to more fraud. As will become apparent below, the method described herein operates to prevent ATO relating to a swapped hardware-based network identifier without exposing or sending the hardware-based network identifier. In contrast, if, for example, SIM card data were sent from the service provider 103 to the computer system 104, the SIM card data may be used maliciously be a NTP who has access to the computer system 104. Additionally, preventing the hardware-based network identifier from being sent to the computer system 104 prevents the computer system 104 from using it and potentially exposing it to other NTPs in the event that the change was made legitimately.
[037] The notification is received by the computer system 104 at the processor 105 through a communication path 123 and a network 133 between the service provider 103 and the computer system 104. The path 123 and network 133 comprise a wireless communication path such as via the internet or other wireless communication protocol.
[038] At step 204 of the method 200, and in response to receiving the notification from the service provider 103, the processor 105 is configured to update a data record in the storage device 110. The storage device 110 stores a plurality of data records relating to different account owners. The data record is either created as a new record or an existing record corresponding to the account owner is updated based on the data identifying the account owner in the received notification. That is, the processor 105 determines an account owner corresponding to the changed hardware-based network identifier from the notification and updates a data record associated with the determined account owner to reflect the change.
[039] The updated record includes an indication of the notified change in hardware-based network identifier. In Figure 1, this indication is labelled with reference numeral 111 and is referred to as ‘flagged phone number’. This refers to an example in which the indication of the changed identifier is implemented using a flag against the data record to alert the processor when future checks are made on the data store to the change identifier. In other embodiments, the indication may be implemented by changing one of a plurality of flags or adjusting an authentication criterion of the account owner. For example, where the service provider 103 is configured to include an indication of the type of change in the notification, the data record may incorporate different flags corresponding to different types of change, or may assign a different authentication criterion to each type of change. In some examples, the authentication criteria may be arranged into different levels indicating the amount, type, and/or quality of authentication information required at that level, with each type of change raising the level by a predetermined number of levels.
[040] Having received the notification and updated the data store, the computer system 104 may receive a request for access to data associated with the account owner, as indicated at step 206 of the method 200. This request is received from a requesting device 101 operated by a requesting user 102. As already identified, the requesting user 102 may be a NTP or the account owner. For the purposes of Figures 1 and 2 it is assumed that the requesting user 102 is an NTP. The request to the computer system requests access to data associated with the account owner based on the requesting user 102 being able to receive communications to the addressable identifier that is associated with the account owner. In other words, the requesting user 102 uses the requesting device 101 to indicate to the computer system 104 that they are in control of the addressable identifier and therefore should be granted access based on the addressable identifier belonging to the account owner.
[041] As discussed above, this system is targeted by NTPs masquerading as the account owner because computer systems often send one-time passwords or other limited-use keys to addressable identifiers such as phone numbers to verify the identity of the requesting user. However, in ATO and particularly SIM swapping, the addressable identifier of the account owner cannot be trusted to verify the identity. Therefore, in response to receiving the request 206, the computer system 104 is configured to perform steps 208, 210, and 212 of the method 200.
[042] To briefly finish discussing the request step 206, the request is sent to the computer system 104 from the requesting device 101. The requesting device 101 may send the request through the application software 106 operated on the requesting device 101 and along a communication path 125 and a network 135 between the requesting device 101 and the computer system 104 to the application software 107 of the computer system 104. Generally, where the application software 106 is used on the device 101 to make the request, the communication path 125 and network 135 is via the internet over the network operated by the service provider 103 or over another network to which the device is connected.
[043] The computer system 104 receives the request from the device 101 through the communication path 125 between the device 101 and the computer system 104. The request may be received by the application software 107 operated by the processor 105.
[044] In response to the request, at step 208 of the method 200, the computer system 104 accesses the storage device 110 associated with the account owner whose data is being requested. The purpose of the check is to check the data record corresponding to the request for any indications of recent changes in hardware-based network identifiers. The check may be performed by an authentication module 109 operated by the processor 105. Typically, this may involve checking details sent with the request such as log in credentials including a username to determine the account owner to which the request relates.
[045] In Figure 1, it is assumed that a recent change has been made to the hardware-based network identifier. Therefore, during the check at step 208, the processor 105 or authentication module 109 identifies that there has been a recent change. In response, at step 210, an authentication process is performed based on the data record indicating the notified change in the hardware-based network identifier. The authentication process may be performed by the authentication module 109.
[046] The authentication process may be referred to as a first authentication process to distinguish from other authentication processes, i.e. second or further authentication processes, that occur when the check of the data record does not reveal a recent change. The differences between various authentication processes are discussed in more detail below.
[047] The first authentication process comprises obtaining, from the requesting user 101, authentication information. The authentication information is requested to verify that the requesting user 101 is the account owner. The authentication information may comprise data unrelated to the addressable identifier associated with the account owner because, as has already been noted, the computer system 104 does not know whether this information has been compromised or not.
[048] Although the computer system 104 may be unsure of the status of the requesting device 102, requesting user 101, and addressable identifier associated with the hardware-based network identifier 108, it is still possible to interact with the requesting user 101 using a communication path 127 and network 137 to the device 102 or addressable identifier because the authentication information requested is information for verifying or proving that the requesting user 101 is the account owner. In other words, by requesting specifically personal information that only an account owner would know from the requesting user 101, the computer system 104 can prevent ATO. This is a particularly useful means of determining the identity of the requesting user 101 because there is no further exposure of account details or information to an NTP. The computer system 104 in this example utilizes only the account owner data it has in order to directly challenge a requesting user 101.
[049] In other embodiments, the first authentication process may be performed via another device or addressable identifier associated with the account owner, such as a laptop and email address for example if the requesting device is a phone and the addressable identifier is a phone number. In this example, the authentication information may still include authentication information specific to the account owner to distinguish the account owner from an NTP.
[050] At step 212, if the obtained authentication information satisfies a predetermined criterion, the requesting user is permitted to access the data associated with the account owner as requested. For example, if the request was a login request, the user may be permitted to login, or if the request was to reset a forgotten password, the requesting user may be permitted to reset the password for the account. [051] In some examples, the requested data may itself comprise a request for a one-time password or a limited use key to be sent to the addressable identifier. In permitting the access, the computer system 104 is configured to send the one-time password as requested. In other examples, the computer system 104 may receive a login request and may be configured to send a one-time password together with a request for further authentication information. In other words, the authentication information may comprise the one-time password and another form of authentication information.
[052] In one example, the authentication information obtained or requested comprises biometric data. In response, the requesting user 102 may provide the requested biometric data via the requesting device 101, which may include, for example, a fingerprint scanner or a camera and facial recognition software. If the biometric data matches biometric data for the account owner held by the computer system, the predetermined authentication criterion is satisfied and the request is permitted. The user 102 is confirmed as the account owner and the request for information is granted. The biometric data request is typically sent via the internet, and may generally be performed through the application software 106 or a separate application for biometric measurement.
[053] In another example, the authentication information comprises knowledge that an NTP will not know. For example, the knowledge may comprise digits from a personal identification number or confirmation of recent transactions and amounts. This step may be performed via the application software 106, via SMS message over the telephone network, or through a phone call with a customer support operator or automated call handler. The criterion in this example is satisfied if the requesting user 102 answers or provides information requested. For example, the digits obtained may satisfy the criterion if they exactly match the requested digits.
[054] In yet a further example, the requesting user 102 may be requested to provide a photo of themselves with an identifying piece of information as the authentication information. Other data that confirms their identity and distinguishes them from an NTP may also be used.
[055] As noted above, the first authentication process is performed where a change is indicated in the database. In the method 200, a second authentication process may be performed if there is no change indicated. The second authentication process may comprise obtaining, from the requesting user, second or further authentication information and permitting the request if a second or further authentication criterion is satisfied. In general, because there has not been a change in hardware-based network identifier, the requirement for the second authentication information or for the second authentication criterion to be satisfied is lower. In other words, the first authentication process may be stricter or require more authentication information than the second authentication process. For example, in one example, user credentials and a one-time password may be sufficient to satisfy the second authentication criteria, whereas additional authentication information in the form of biometric data may be required by the first authentication process to satisfy its criteria. The second authentication process may also be performed after the first authentication process has been passed for further or future requests for access.
[056] The first and second authentication process may be defined based on the authentication criterion associated with each process. For example, a first authentication process may have a first authentication criterion or criteria associated with it, and the second authentication process may have a second authentication criterion or criteria associated with it. There may be a plurality of authentication criteria and associated authentication processes depending on the system, the required security of the data that is the subject of the request, and, in some examples, the type of change that has occurred between the hardware-based network identifier and addressable identifier. As noted above, there may be a tiered or levelled approach to authentication criteria that changes each time a new change is notified. The level associated with an account owner may also change over time or upon receipt of suitable authentication information that fulfils the required criteria. For example, if the authentication criteria is at level three, receipt of authentication information satisfying the level three criteria may reduce the criteria to level two for subsequent interactions and requests. In this situation, the authentication criteria may reduce to level two if a predetermined amount of time has elapsed between the notification of the change and the request or current time.
[057] Authentication criterion may be satisfied by the amount of authentication information provided, the type of authentication information provided, and/or the quality of authentication information provided. For example, a single piece of biometric data may be considered to satisfy more secure authentication criteria than individual pieces of less secure and more easily spoofed or guessed pieces of personal data such as password, date of birth, and first pet name. As another example, a high-quality picture of the account owner with matching identification may be considered to satisfy higher authentication criteria than a low-quality picture.
[058] Furthermore, the authentication criteria may implement further security protocols such as a limit on a number of requests for information associated with the addressable identifier that may be sent or a restriction on providers of the requesting devices. For example, if a plurality of requests are received in short succession, this may be viewed as a potentially suspicious action and the authentication module 109 may be configured to change the authentication criteria to reflect this.
[059] If, following the method 200, the requesting user 102 fails to satisfy the authentication criterion, either by providing incorrect or no authentication information in response, the authentication module 109 may be configured to update the data record for the account owner in the data store 110 to reflect this. The account of the account owner may then be locked for access until further verification is performed. This further verification may be more secure than that involved in the first authentication process, requiring more authentication information, to ensure that only the account owner is able to access the personal account.
[060] In the above situations, where the user 102 fails the first authentication process, the computer system 104 may be configured to conclude that the change in hardware-based network identifier was not performed by the account owner, and that the requesting user 102 attempting to gain access to the account via requesting device 101 is likely to be an NTP. In some embodiments, the computer system 104 may be configured to alert the service provider 103 that the requesting user 102 could not be verified as the account owner.
[061] If the requesting user 102 does successfully provide the authentication information required to satisfy the criterion, the computer system 104 may conclude that the requesting user 102 is the account owner and that the change in hardware -based network identifier was legitimate. [062] In some examples, the communication path 127 may be different from the communication path 125. For example, the communication path 127 may include a computing device accessible to the account owner, but different from the device 101. In some other embodiments, the communication path 127 may include the same device 101, but through a software application operated on the device 101 that is different from the application software 106. Furthermore, in some embodiments, the communication path 127 may include additional steps to be operated by the application software 106 or the application software 107. These different communication paths are useful because a NTP may use a fake SIM card 108 of the device 101, but may be difficult to have access to a different communication path directly to the account owner, thereby adding a further layer of complexity that a NTP has to overcome to gain access.
[063] In embodiments, the use of three communication paths 123, 125, 127 are a specific implementation on a particular machine architecture to integrate the security protection of association between the user device 101 and the user 102 or the user identifier 111. Furthermore, the use of three communication paths represents a specific feature that is not available in the current systems to prevent SIM swapping. For example, the use of the communication path 127 between the requesting user 102 and the computer system 104 can effectively verify whether the hardware- based network identifier 108 of the requesting device 101 has been activated by the account owner or by a NTP, while a conventional computer system cannot perform such a detection.
[064] In some embodiments, there is provided a common ledger or a common database to which service providers and/or computer systems contribute data relating to users. The service providers and/or computer systems may contribute to a chained ledger of addressable identifier to hardware-based network identifier mappings over time. The read/write API keys for the common database are provided only to service providers so only they can update the account owner information. Computer systems may subsequently read data from this ledger or database with API keys of they own when determining how to respond to login requests. The shared ledger or database provides an efficient proof-based system to track, e.g., SIM cards to phone numbers. The shared ledger or database also provides a global log for cybercrime investigations and does not allow conflicts in phone-SIM mapping as there can only be one-to-one phone-to-SIM mapping at any point in time. The common database is provided in addition to or as an alternative to the user accounts records held by the computer system against which the indication or flag is raised in response to determining a change in SIM card.
[065] Figure 3 illustrates an example device suitable for use to practice various aspects of the present disclosure, in accordance with various embodiments. While Figure 3 illustrates various components of a computer system, it is not intended to represent any particular architecture or manner of interconnecting the components. One embodiment may use other systems that have fewer or more components than those shown in Figure 3. [066] In Figure 3, the data processing system 370 includes an inter-connect 371, e.g., bus and system core logic, which interconnects a microprocessor(s) 373, memory 367, and input/output (I/O) device(s) 375 via I/O controller(s) 377. The microprocessor 373 is coupled to cache memory 379. I/O devices 375 may include a display device and/or peripheral devices, such as mice, keyboards, modems, network interfaces, printers, scanners, video cameras and other devices known in the art. In one embodiment, when the data processing system is a server system, some of the I/O devices 375, such as printers, scanners, mice, and/or keyboards, are optional.
[067] In one embodiment, the inter-connect 371 includes one or more buses connected to one another through various bridges, controllers and/or adapters. In one embodiment, the I/O controllers 377 include a USB (Universal Serial Bus) adapter for controlling USB peripherals, and/or an IEEE-1394 bus adapter for controlling IEEE-1394 peripherals.
[068] In one embodiment, the memory 367 includes one or more of: ROM (Read Only Memory), volatile RAM (Random Access Memory), and non-volatile memory, such as hard drive, flash memory, etc. Volatile RAM is typically implemented as dynamic RAM (DRAM), which requires power continually in order to refresh or maintain the data in the memory. Non-volatile memory is typically a magnetic hard drive, a magnetic optical drive, an optical drive (e.g., a DVD RAM), or other type of memory system which maintains data even after power is removed from the system. The non-volatile memory may also be a random access memory. The non-volatile memory can be a local device coupled directly to the rest of the components in the data processing system. A non-volatile memory that is remote from the system, such as a network storage device coupled to the data processing system through a network interface such as a modem or Ethernet interface, can also be used.
[069] In this description, some functions and operations are described as being performed by or caused by software code to simplify description. That is, the techniques may be carried out in a computer system or other data processing system in response to its processor, such as a microprocessor, executing sequences of instructions contained in a memory, such as ROM, volatile RAM, non-volatile memory, cache or a remote storage device.
[070] Alternatively, or in combination, the functions and operations as described here can be implemented using special purpose circuitry, with or without software instructions, such as using Application-Specific Integrated Circuit (ASIC) or Field-Programmable Gate Array (FPGA). Embodiments can be implemented using hardwired circuitry without software instructions, or in combination with software instructions. Thus, the techniques are limited neither to any specific combination of hardware circuitry and software, nor to any particular source for the instructions executed by the data processing system.
[071] While one embodiment can be implemented in fully functioning computers and computer systems, various embodiments are capable of being distributed as a computing product in a variety of forms and are capable of being applied regardless of the particular type of machine or computer-readable media used to actually effect the distribution.
[072] In embodiments, a storage medium may store instructions for practicing methods described with references to Figures 1-2, in accordance with various embodiments. For example, a non-transitory computer-readable storage medium may include a number of programming instructions. Programming instructions may be configured to enable a device, e.g., the device 370, in response to execution of the programming instructions, to perform, e.g., various operations associated with performing security protection of association between the requesting device 101 and the requesting user 102, verifying the hardware-based network identifier 108 of the requesting device 101 has been activated by the requesting user 102 to replace an existing identifier of the requesting device 101 associated with the addressable identifier, operations described in the process 200, or other operations described herein.
[073] Routines executed to implement the embodiments may be implemented as part of an operating system or a specific application, component, program, object, module or sequence of instructions referred to as “computer programs.” The computer programs typically include one or more instructions set at various times in various memory and storage devices in a computer, and that, when read and executed by one or more processors in a computer, cause the computer to perform operations necessary to execute elements involving the various aspects.
[074] The non-transitory computer-readable storage medium can be used to store software and data which when executed by a data processing system causes the system to perform various methods. The executable software and data may be stored in various places including for example ROM, volatile RAM, non-volatile memory and/or cache. Portions of this software and/or data may be stored in any one of these storage devices. Further, the data and instructions can be obtained from centralized servers or peer to peer networks. Different portions of the data and instructions can be obtained from different centralized servers and/or peer to peer networks at different times and in different communication sessions or in a same communication session. The data and instructions can be obtained in entirety prior to the execution of the applications. Alternatively, portions of the data and instructions can be obtained dynamically, just in time, when needed for execution. Thus, it is not required that the data and instructions be on a machine readable medium in entirety at a particular instance of time.
[075] Examples of computer-readable media include but are not limited to recordable and non-recordable type media such as volatile and non-volatile memory devices, read only memory (ROM), random access memory (RAM), flash memory devices, floppy and other removable disks, magnetic disk storage media, optical storage media (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks (DVDs), etc.), among others. The computer-readable media may store the instructions.
[076] The instructions may also be embodied in digital and analog communication links for electrical, optical, acoustical or other forms of propagated signals, such as carrier waves, infrared signals, digital signals, etc. However, propagated signals, such as carrier waves, infrared signals, digital signals, etc. are not tangible machine readable medium and are not configured to store instructions.
[077] In general, a machine readable medium includes any mechanism that provides (i.e., stores and/or transmits) information in a form accessible by a machine (e.g., a computer, network device, personal digital assistant, manufacturing tool, any device with a set of one or more processors, etc.).
[078] In various embodiments, hardwired circuitry may be used in combination with software instructions to implement the techniques. Thus, the techniques are neither limited to any specific combination of hardware circuitry and software nor to any particular source for the instructions executed by the data processing system.
[079] The description and drawings are illustrative and are not to be construed as limiting. The present disclosure is illustrative of disclosed features to enable a person skilled in the art to make and use the techniques. Various features, as described herein, should be used in compliance with all current and future rules, laws and regulations related to privacy, security, permission, consent, authorization, and others. Numerous specific details are described to provide a thorough understanding. However, in certain instances, well known or conventional details are not described in order to avoid obscuring the description. References to one or an embodiment in the present disclosure are not necessarily references to the same embodiment; and, such references mean at least one.
[080] According to further aspects of the present disclosure, there may be provided a computer-implemented method for communication, comprising: receiving, by a processor of a computing system, from a service provider through a first communication path between the service provider and the computing system, a notification that an identifier of a user device has been activated in the user device to be associated with a user identifier to replace an existing identifier of the user device associated with the user identifier, wherein the identifier of the user device is a hardware based network identifier of the user device, and the user identifier is to identify a user by the service provider; storing, in a storage device coupled to the processor, the user identifier of the user to indicate that the existing identifier of the user device associated with the user identifier has been changed; receiving, by the processor, from the user device through a second communication path between the user device and the computing system, a request for information associated with the user identifier to be sent to the user device associated with the identifier of the user device; searching the storage device to look up the user identifier; and verifying the identifier of the user device has been activated by the user by an additional authentication of the user through a third communication path between the user and the computing system, when the user identifier is found in the storage device.
[081] Verifying the identifier of the user device has been activated by the user by the additional authentication of the user may include: sending, to the user through the third communication path between the user and the computing system, a request for authentication information different from the user identifier of the user; receiving, from the user, a response message to the request for authentication information; and authenticating the user based on the response message and a set of rules.
[082] The computer-implemented method may further comprise: sending, to the user device associated with the identifier of the user device through the second communication path, after verifying the identifier of the user device has been activated by the user is successful, the requested information associated with the user identifier. [083] The computer-implemented method may further comprise: updating the storage to associate the identifier of the user device with the user identifier. The request for information associated with the user identifier to be sent to the user device may include a request for one time password (OTP) for the user.
[084] The request for information associated with the user identifier to be sent to the user device may be received through an application software operating on the user device.
[085] The information associated with the user identifier may be for operating the application software by the user.
[086] The identifier of the user device may include an identifier for a subscriber identity module (SIM) card, or a media access control (MAC) address of the user device.
[087] The user device may include a wireless phone, a cellular phone, a satellite phone, a VoIP phone, a smart phone, a laptop, a tablet, a personal computer, a point of sale (POS) terminal, a transaction terminal, or a handheld computer.
[088] The service provider may include a phone service provider or an internet service provider, and the user identifier includes a phone number or an email address.
[089] Sending to the user the request for authentication information different from the user identifier of the user may include sending the request to the user through the third communication path that is different from the second communication path.
[090] The authentication information may include information the user knows, information the user has, information about what the user is, information about where the user is, or information about what the user does.
[091] The set of rules for authenticating the user based on the response message may include a rule about a limit on a number of requests for information associated with the user identifier to be sent to the user device associated with the identifier of the user device, a rule about a limit on a number of identifiers of user devices associated with the user identifier, a rule about a limit on a number of user identifiers associated with the identifier of the user device, a rule about a restriction on providers of the user devices, or a rule providing an authentication scheme corresponding to the identifier of the user device.
[092] According to further aspects of the disclosure, there is provided a computing system, comprising: one or more processors, wherein the one or more processors are configured to receive from a service provider through a first communication path between the service provider and the computing system, a notification that an identifier of a user device has been activated in the user device to be associated with a user identifier to replace an existing identifier of the user device associated with the user identifier, wherein the identifier of the user device is a hardware based network identifier of the user device, and the user identifier is to identify a user by the service provider; a storage device coupled to the one or more processors, wherein the storage device is configured to store the user identifier of the user to indicate that the existing identifier of the user device associated with the user identifier has been changed; an application software to be operated by the one or more processors, wherein the application software is to receive from the user device through a second communication path between the user device and the computing system, a request for information associated with the user identifier to be sent to the user device associated with the identifier of the user device, and the information associated with the user identifier is for operating the application software by the user; and an authentication module to be operated by the one or more processors, wherein the authentication module is to: search the storage device to look up the user identifier; send, to the user through a third communication path between the user and the computing system, when the user identifier is found in the storage device, a request for authentication information different from the user identifier of the user; receive, from the user, a response message to the request for authentication information; and authenticate the user based on the response message and a set of rules.
[093] The application software may further to send, to the user device associated with the identifier of the user device through the second communication path, after authenticating the user based on the response message is successful, the requested information associated with the user identifier.
[094] The authentication module may further to update the storage to associate the identifier of the user device with the user identifier.
[095] The third communication path may be different from the second communication path. [096] The request for information associated with the user identifier to be sent to the user device may include a request for one time password (OTP) for the user.
[097] According to further aspects of the disclosure, there is provided a executable software product stored on a non-transitory computer-readable medium containing program instructions that cause a processor of a computing system, in response to execution of the instructions by the processor, to: receive, from a service provider through a first communication path between the service provider and the computing system, a notification that an identifier of a user device has been activated in the user device to be associated with a user identifier to replace an existing identifier of the user device associated with the user identifier, wherein the identifier of the user device is a hardware based network identifier of the user device, and the user identifier is to identify a user by the service provider; store, in a storage device coupled to the processor, the user identifier of the user to indicate that the existing identifier of the user device associated with the user identifier has been changed; receive, by the processor, from the user device through a second communication path between the user device and the computing system, a request for information associated with the user identifier to be sent to the user device associated with the identifier of the user device; search the storage device to look up the user identifier; send, to the user through a third communication path between the user and the computing system, when the user identifier is found in the storage device, a request for authentication information different from the user identifier of the user; receive, from the user, a response message to the request for authentication information; and authenticate the user based on the response message and a set of rules.
[098] The program instructions may further cause the processor to: send, to the user device associated with the identifier of the user device through the second communication path, after authenticating the user based on the response message is successful, the requested information associated with the user identifier; and update the storage to associate the identifier of the user device with the user identifier.
[099] The third communication path may be different from the second communication path. [0100] The request for information associated with the user identifier to be sent to the user device may include a request for one time password (OTP) for the user.

Claims

WHAT IS CLAIMED IS:
1. A computer- implemented method for preventing account take-over attacks in which a hardware-based network identifier associated with an addressable identifier of an account owner is changed and the addressable identifier is used to gain access to data related to the account owner, the method comprising: receiving a notification that a hardware-based network identifier associated with an addressable identifier of an account owner has been changed, wherein the notification comprises data for identifying the account owner and does not comprise the hardware- based network identifier; updating, in a data store storing a plurality of data records, a data record associated with the account owner identified in the notification to indicate the notified change in the hardware-based network identifier; and, when a request is received from a requesting device operated by a requesting user that requests access to data associated with the account owner based on the requesting user being able to receive communications using the addressable identifier: accessing the data record associated with the account owner in the data store; performing an authentication process based on the data record indicating the notified change in the hardware-based network identifier, wherein the authentication process comprises obtaining, from the requesting user, authentication information; and permitting the requesting user to access the data associated with the account owner if the obtained authentication information satisfies a predetermined criterion.
2. The computer-implemented method of claim 1 , wherein the data for identifying the account owner comprises the addressable identifier.
3. The method of claim 1 or claim 2, wherein the notification consists of the data for identifying the account owner.
4. The computer-implemented method of any one of claims 1 to 3, wherein the addressable identifier comprises a phone number.
5. The computer-implemented method of any of claims 1 to 4, wherein the hardware-based network identifier comprises an identifier associated with a SIM card.
6. The computer- implemented method of claim 5, wherein the notification does not comprise any data relating to the SIM card.
7. The computer- implemented method of any one of claims 1 to 6, wherein the data store comprises a common data store configured to receive data relating to data records from a plurality of different sources, and wherein the data for identifying the account owner comprises a hashed version of the addressable identifier.
8. The computer- implemented method of any one of claims 1 to 7, wherein the request comprises a request for a one-time password to be sent to the addressable identifier, and wherein permitting the requesting user to access the data comprises sending the one-time password to the addressable identifier.
9. The computer- implemented method of any one of claims 1 to 8, wherein the request comprises a request to access a personal account of the account owner, and wherein permitting the requesting user to access the data comprises permitting access to the personal account.
10. The computer-implemented method of claim 9, wherein, in response to the request, the method further comprises sending a one-time password to the addressable identifier, wherein the obtaining, from the requesting user, authentication information comprises obtaining, from the requesting user, at least the one-time password and proof of identity of the requesting user.
11. The computer- implemented method of any one of claims 1 to 10, wherein the authentication process comprises obtaining from the requesting user via the requesting device or the addressable identifier at least two pieces of authentication information.
12. The computer- implemented method of any one of claims 1 to 11, wherein the obtained authentication information comprises biometric data and wherein the obtained authentication information satisfies the predetermined criterion if the obtained biometric data matches stored biometric data for the account owner.
13. The computer-implemented method of any one of claims 1 to 12, wherein obtaining, from the requesting user, authentication information comprises obtaining at least part of the authentication information from the requesting user via a device or from an addressable identifier that is different to the device and addressable identifier associated with the request for access.
14. The computer- implemented method of any one of claims 1 to 13, comprising: after permitting the request, updating, in the data store storing a plurality of data records, the data record associated with the account owner to indicate that the authentication information satisfied the predetermined criterion; and, in response to further requests for access to data associated with the account owner from a requesting user: accessing the data record associated with the account owner in the data store; performing a further authentication process based on the data record, wherein the further authentication process comprises obtaining, from the requesting user, further authentication information; and permitting the requesting user to access the data associated with the account owner if the obtained further authentication information satisfies a predetermined further criterion that is less strict than the predetermined criterion.
15. A computer system configured to perform the method of any one of claims 1 to 14.
PCT/US2021/012066 2020-01-02 2021-01-04 Security protection of association between a user device and a user WO2021138663A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP21736223.5A EP4085592A4 (en) 2020-01-02 2021-01-04 Security protection of association between a user device and a user

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US202062956432P 2020-01-02 2020-01-02
US62/956,432 2020-01-02
US17/116,257 2020-12-09
US17/116,257 US11861582B2 (en) 2020-01-02 2020-12-09 Security protection of association between a user device and a user

Publications (1)

Publication Number Publication Date
WO2021138663A1 true WO2021138663A1 (en) 2021-07-08

Family

ID=76559294

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2021/012066 WO2021138663A1 (en) 2020-01-02 2021-01-04 Security protection of association between a user device and a user

Country Status (5)

Country Link
US (1) US11861582B2 (en)
EP (1) EP4085592A4 (en)
CN (1) CN113065117A (en)
SG (1) SG10202013162WA (en)
WO (1) WO2021138663A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023137288A1 (en) * 2022-01-13 2023-07-20 Dish Wireless L.L.C. Systems and methods for authenticating a subscriber within the network core

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120003957A1 (en) * 2009-07-14 2012-01-05 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for verification of a telephone number
US9160830B2 (en) * 2005-07-25 2015-10-13 Mediatek Inc. Mobile communication apparatus having anti-theft and auto-notification functions
KR20160055130A (en) * 2013-07-05 2016-05-17 에스지엑스 에이에스 Method and system related to authentication of users for accessing data networks
US9384479B2 (en) * 2012-03-15 2016-07-05 Moqom Limited Mobile phone takeover protection system and method
US9572014B2 (en) * 2007-09-01 2017-02-14 Apple Inc. Service provider activation with subscriber identity module policy

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11218854B2 (en) * 2009-01-28 2022-01-04 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US9955332B2 (en) * 2009-01-28 2018-04-24 Headwater Research Llc Method for child wireless device activation to subscriber account of a master wireless device
US9557889B2 (en) * 2009-01-28 2017-01-31 Headwater Partners I Llc Service plan design, user interfaces, application programming interfaces, and device management
US9392462B2 (en) * 2009-01-28 2016-07-12 Headwater Partners I Llc Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy
US8893009B2 (en) * 2009-01-28 2014-11-18 Headwater Partners I Llc End user device that secures an association of application to service policy with an application certificate check
US8875255B1 (en) * 2012-09-28 2014-10-28 Emc Corporation Preventing user enumeration by an authentication server
GB2517276B (en) 2014-06-18 2015-09-30 Validsoft Uk Ltd Detecting porting or redirection of a mobile telephone number
GB201417565D0 (en) 2014-10-03 2014-11-19 Moqom Ltd Identity and risk management system and method
GB2533095A (en) 2014-12-08 2016-06-15 Cryptomathic Ltd System and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9160830B2 (en) * 2005-07-25 2015-10-13 Mediatek Inc. Mobile communication apparatus having anti-theft and auto-notification functions
US9572014B2 (en) * 2007-09-01 2017-02-14 Apple Inc. Service provider activation with subscriber identity module policy
US20120003957A1 (en) * 2009-07-14 2012-01-05 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for verification of a telephone number
US9384479B2 (en) * 2012-03-15 2016-07-05 Moqom Limited Mobile phone takeover protection system and method
KR20160055130A (en) * 2013-07-05 2016-05-17 에스지엑스 에이에스 Method and system related to authentication of users for accessing data networks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP4085592A4 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023137288A1 (en) * 2022-01-13 2023-07-20 Dish Wireless L.L.C. Systems and methods for authenticating a subscriber within the network core

Also Published As

Publication number Publication date
US20210209574A1 (en) 2021-07-08
SG10202013162WA (en) 2021-08-30
EP4085592A4 (en) 2023-04-19
EP4085592A1 (en) 2022-11-09
CN113065117A (en) 2021-07-02
US11861582B2 (en) 2024-01-02

Similar Documents

Publication Publication Date Title
US11832099B2 (en) System and method of notifying mobile devices to complete transactions
US10360561B2 (en) System and method for secured communications between a mobile device and a server
EP2652688B1 (en) Authenticating transactions using a mobile device identifier
US10552823B1 (en) System and method for authentication of a mobile device
US9596237B2 (en) System and method for initiating transactions on a mobile device
US20140156531A1 (en) System and Method for Authenticating Transactions Through a Mobile Device
US20120150748A1 (en) System and method for authenticating transactions through a mobile device
US11317282B2 (en) Intelligent method for sim-swap fraud detection and prevention
JP5571854B2 (en) User account recovery
US8656468B2 (en) Method and system for validating authenticity of identity claims
US11658962B2 (en) Systems and methods of push-based verification of a transaction
WO2015150917A2 (en) System and method for authenticating transactions through a mobile device
KR101879843B1 (en) Authentication mehtod and system using ip address and short message service
US20230300621A1 (en) Subscriber Identification Module (SIM) Authentication Protections
WO2021138663A1 (en) Security protection of association between a user device and a user
US20100153275A1 (en) Method and apparatus for throttling access using small payments
KR20130005635A (en) System for providing secure card payment system using mobile terminal and method thereof
US20240005312A1 (en) Multi-Factor User Authentication Using Blockchain Tokens
US20230196349A1 (en) Multi-Factor User Authentication
AU2010361584B2 (en) User account recovery

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21736223

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2021736223

Country of ref document: EP

Effective date: 20220802